b'                                                             Issue Date:\n                                                                June 12, 2008\n                                                              Audit Case Number\n                                                                2008-DP-0004\n\n\n\n\nTO:         Brian D. Montgomery, Assistant Secretary for Housing \xe2\x80\x93 Federal Housing\n              Commissioner, H\n            Mike Milazzo, Acting Chief Information Officer, Q\n\n                   /s/\nFROM:       Dorothy Bagley, Acting Director, Information Systems Audit Division, GAA\n\nSUBJECT: Review of Selected FHA Major Applications\xe2\x80\x99 Information Security Controls\n\n\n\n                                   HIGHLIGHTS\n\n What We Audited and Why\n\n             We audited the Federal Housing Administration\xe2\x80\x99s (FHA) management of its\n             information technology resources and compliance with U.S. Department of\n             Housing and Urban Development (HUD) and other federal information security\n             requirements. Our overall objective was to determine whether FHA effectively\n             managed security controls relating to its information technology resources. This\n             audit supported our financial statement audits of FHA and HUD as well as our\n             annual Federal Information Security Management Act review.\n\n\n What We Found\n             FHA did not (1) fully implement required security controls related to personnel\n             security, user access, and audit log management for the Single Family Insurance\n             System - Claims Subsystem; (2) define or implement adequate security controls\n             over its business partners that develop, store, and process HUD data; and (3) have\n             assurance that mandatory security controls had been implemented and follow the\n             federal information security framework.\n\x0c           We also found that the HUD Office of the Chief Information Officer did not\n           follow its own policy on performing security impact assessments when significant\n           changes were made to a system.\n\nWhat We Recommend\n\n\n           We recommend that FHA and HUD incorporate the federal information security\n           program framework into their management processes so that security assessments,\n           continuous monitoring, personnel security, and appropriate access to systems and\n           data are assured.\n\n           For each recommendation without a management decision, please respond and\n           provide status reports in accordance with HUD Handbook 2000.06, REV-3.\n           Please furnish us copies of any correspondence or directives issued because of the\n           audit.\n\n\nAuditee\xe2\x80\x99s Response\n\n\n           The complete text of the auditee\xe2\x80\x99s response, along with our evaluation of that\n           response, can be found in appendix A of this report.\n\n\n\n\n                                            2\n\x0c                            TABLE OF CONTENTS\n\nBackground and Objectives                                                         4\n\nResults of Audit\n                                                                                  5\n      Finding 1: Weaknesses Existed in Security Controls for the Single Family\n      Insurance System - Claims Subsystem\n\n      Finding 2: FHA Did Not Define or Implement Adequate Security Control        10\n      Requirements over Business Partner Development, Processing, or Storage of\n      Single-Family Mortgage Data\n\n      Finding 3: FHA Did Not Have Assurance That Mandatory Security Controls      13\n      Had Been Implemented\n\n      Finding 4: HUD OCIO Did Not Follow Its Own Policy on Performing Security    18\n      Impact Assessments When Significant Changes Were Made\n\nScope and Methodology                                                             22\n\nInternal Controls                                                                 23\n\nFollow-up on Prior Audits                                                         24\n\nAppendixes\n\n   A. Auditee Comments and OIG\xe2\x80\x99s Evaluation                                       26\n\n\n\n\n                                             3\n\x0c                       BACKGROUND AND OBJECTIVES\n\nThe Federal Housing Administration (FHA) provides mortgage insurance on loans made by\nFHA-approved lenders throughout the United States and its territories. FHA has developed a\nnumber of information systems to support its mortgage insurance and related program activities.\nWe recently evaluated 25 of FHA\xe2\x80\x99s major information systems and issued an audit report on the\ninformation security weaknesses identified. 1\n\nThe Federal Information Security Management Act of 2002 (FISMA) provides a\n\xe2\x80\x9ccomprehensive framework\xe2\x80\x9d to ensure that agency information security controls support and\nprotect federal operations and their assets. Compliance with FISMA entails an active\nmanagement of organizational risk and is the key element in the organization\xe2\x80\x99s compliance with\nthe federal information security program framework. The information security framework\nguides the selection of appropriate security controls for an information system\xe2\x80\x94the security\ncontrols necessary to protect individuals and the operations and assets of the organization. The\nguidance provided in FISMA details the agency\xe2\x80\x99s responsibilities to protect against unauthorized\nuse of information that could harm information collected on behalf of the agency. We used\nFISMA\xe2\x80\x99s requirements as the basis in developing our methodology for performing this audit.\n\nOur overall objective was to determine whether FHA\xe2\x80\x99s information system security controls had\nbeen fully implemented for selected FHA applications. The criteria that we used during our\naudit included information security circulars issued by the Office of Management and Budget,\nFISMA, and publications by the National Institute of Standards and Technology.\n\n\n\n\n1\n Audit Report No. 2008-DP-0002, \xe2\x80\x9cReview of FHA Controls over Its Information Technology Resources,\xe2\x80\x9d dated\nOctober 31, 2007.\n\n\n                                                    4\n\x0c                                 RESULTS OF AUDIT\n\nFinding 1: Weaknesses Existed in Security Controls for the Single\nFamily Insurance System - Claims Subsystem\nKey personnel within FHA (1) did not enforce personnel security policies and ensure that\nappropriate background investigations were completed for employees and contractors for the Single\nFamily Insurance System - Claims Subsystem, (2) gave excessive access rights and access to data\nbeyond employees\xe2\x80\x99 and contractors\xe2\x80\x99 job requirements, and (3) did not establish an effective audit\nlog management and monitoring process. FHA officials indicated that they either did not realize the\nneed to have background investigations or assumed that information technology (IT) developers\xe2\x80\x99\nbackground investigations had been properly completed. Further, FHA had not implemented\neffective processes for managing and monitoring system access privileges and audit logs. Without\nadequate background checks, access rights assignment, and audit log management, FHA did not\noperate the Claims Subsystem in accordance with federal information security requirements. As a\nresult, the data processed within the Claims Subsystem were not adequately protected.\n\n\nThe Claims Subsystem is one of HUD\xe2\x80\x99s mission-critical systems. This major application is used by\nHUD headquarters and field office personnel, external government agencies, and business partners\nto electronically submit and process claims for single-family mortgage insurance benefits. The\nsystem processes approximately 178,000 claims per year. Payment schedules averaging $25-$30\nmillion per day are transmitted to the U.S. Treasury, with total single-family mortgage insurance\nbenefit payments exceeding $6 billion per year.\n\n\n\n\n Appropriate Background\n Checks Were Not Performed\n\n               FHA employees and contractors did not always have a background investigation\n               or the appropriate background investigation. HUD Personnel Security Handbook\n               732.2, REV-1, section 4-5B, states, \xe2\x80\x9cevery HUD employee and every contractor\n               working on behalf of HUD has, on record, no less than National Agency Check\n               and Inquiries (NACI). For those with above-read access to financial systems or\n               other systems designated by the Department a Limited Background Investigation\n               is required.\xe2\x80\x9d In addition, the matrix for background investigations for financial\n               systems in appendix A of the handbook indicates that the developer and project\n               lead should have a limited background investigation, while supervisors of\n               moderate risk systems and system/security administrators should have a\n               background investigation, the highest investigation type.\n\n\n\n\n                                                5\n\x0c                 In our review of 24 HUD employees and contractors who had above-read access\n                 to Claims Subsystem production data files, we identified the following:\n\n                 \xe2\x80\xa2    Ten employees did not have a background investigation on file.\n                 \xe2\x80\xa2    Eleven employees did not have the proper background investigation.\n                      \xc2\x83   Six HUD employees had only a minimum background investigation 2 but\n                          should have had a limited background investigation 3 since they all had\n                          greater than read access to Claims Subsystem production data files.\n                      \xc2\x83   Five HUD contactors did not have a full background investigation as\n                          required for their positions. One of the five was the Endevor 4\n                          administrator who had a limited background investigation rather than the\n                          full background investigation required for system/security administrators.\n                          The other four had minimum background investigations, although their\n                          positions required them to have limited background investigations.\n                 \xe2\x80\xa2    The remaining three employees had the proper background investigations.\n\n\n                 FHA officials indicated that they did not know the employees and contractors did\n                 not have a background investigation or did not have the proper background\n                 investigations; rather, they assumed that the IT developers\xe2\x80\x99 background\n                 investigations had been properly conducted. By not performing required\n                 background screenings, HUD increased its risk that unsuitable individuals would\n                 have access to sensitive systems and data. Background investigations ensure, to the\n                 extent possible, that employees are suitable to perform their duties.\n\n\n\n\n2\n  According to the HUD Handbook 732.3 REV-1, \xe2\x80\x9cPersonnel Security/Suitability,\xe2\x80\x9d a minimum background\ninvestigation consists of a National Agency Check and Inquiries (NACI) plus an automated credit check covering\nresidence and employment locations for the past five years, an interview of the subject, and written inquiry of\nresidences, and references. A National Agency Check and Inquiries is the minimum investigation required for all\nFederal employment, including contractors, except when employment is not to exceed 180 days in the aggregate. It\nis a background investigation, but is conducted only for individuals in non-sensitive positions and is referred to\nGovernment-wide as a NACI.\n3\n  According to the HUD Handbook 732.3 REV-1, \xe2\x80\x9cPersonnel Security/Suitability,\xe2\x80\x9d a limited background\ninvestigation is an investigation which consists of a National Agency Check and Inquiries, credit search, personal\nsubject interview, and personal interviews by an investigator of subject\xe2\x80\x99s background during the most recent three\nyears.\n4\n  Endevor is a configuration management tool that controls, automates, and monitors the entire application\ndevelopment life cycle. An Endevor administrator can control source code files.\n\n\n                                                        6\n\x0c    Unnecessary Access Rights\n    Were Granted to Production\n    Data Files\n\n\n                Some FHA application developers and Claims Subsystem users had more access\n                to the application\xe2\x80\x99s production data files 5 than was necessary to perform their\n                assigned job functions. Specifically,\n\n                     \xe2\x80\xa2   Two Claims Subsystem users, a financial analyst and an accountant from\n                         the Single Family Accounting Branch, had access type \xe2\x80\x9call\xe2\x80\x9d to all the data\n                         files, which permitted them to read, write, and update records. Financial\n                         analysts and accountants typically do not require access to production data\n                         files and are not required to modify them.\n\n                     \xe2\x80\xa2   Three application project officers for the Claims Subsystem had update\n                         access to a data file but did not require above-read access.\n\n                     \xe2\x80\xa2   Five IT contractor developers were granted above-read access to\n                         production data files, which violated HUD\xe2\x80\x99s policy of not allowing\n                         developers access to production resources.\n\n                FHA\xe2\x80\x99s system owners did not realize that some users had been granted above-\n                read access to Claims Subsystem data files as they had not implemented an\n                efficient monitoring process.\n\n                By not following the principle of least privilege, HUD decreased its ability to protect\n                sensitive information and limit the potential damage that could result from accident,\n                error, or unauthorized use. Additionally, HUD risked exposure of confidential and\n                critical information by providing access to applications or system attributes that were\n                above the users\xe2\x80\x99 authorized access levels.\n\n          Audit Logs Were Not\n          Adequately Managed and\n          Monitored\n\n\n                FHA did not design or implement effective information security controls for\n                monitoring and managing audit logs. National Institute of Standards and\n                Technology (NIST) Special Publication (SP) 800-53, \xe2\x80\x9cRecommended Security\n                Controls for Federal Information Systems,\xe2\x80\x9d states, \xe2\x80\x9cThe organization regularly\n                reviews/analyzes audit records for indications of inappropriate or unusual activity,\n5\n The HUD General Deputy Assistant Secretary for Administration\xe2\x80\x99s memorandum to the Office of Administration\nGovernment Technical Representatives and Government Technical Monitors, dated February 28, 2000, states that\n\xe2\x80\x9cHUD will no longer approve requests to provide IT developers with production accounts or allow access to\nproduction resources (application systems).\xe2\x80\x9d\n\n\n                                                      7\n\x0c                  investigates suspicious activity or suspected violations, reports findings to\n                  appropriate officials, and takes necessary actions.\xe2\x80\x9d\n\n                  Although, the Claims Subsystem application\xe2\x80\x99s audit logs were able to capture and\n                  monitor its transactions, the application\xe2\x80\x99s user login activities recorded in the\n                  Customer Information Control System\xe2\x80\x99s 6 audit log had not been sufficiently\n                  retained and monitored. HUD stated that these user login data were not reviewed\n                  unless there was an incident that required investigation. HUD Handbook\n                  2400.25, REV-1, \xe2\x80\x9cInformation Technology Security Policy,\xe2\x80\x9d requires audit logs\n                  to be recorded and retained for no less than a year for systems rated moderate to\n                  high, the periodic review of audit records for inappropriate or unusual activity,\n                  investigation of suspicious activity or suspected violations, and reporting of\n                  findings to the appropriate officials.\n\n                  Without adequate security log management process controls in place, HUD could\n                  not maintain an inclusive history of events, and it would be unable to perform\n                  audit and forensic analysis and identify operational trends and long-term\n                  problems, which could help establish security controls.\n\n\n\n    Conclusion\n\n\n                  FHA did not fully design or implement required information security controls\n                  related to background checks, access rights, or audit log management because of\n                  the insufficient security control oversight and monitoring at the general support\n                  system and application levels. Without these information security controls in\n                  place, FHA could not operate the Claims Subsystem, one of its major\n                  applications, in accordance with federal information security requirements, and\n                  the data processed within the Claims Subsystem were not adequately protected.\n\n\n    Recommendations\n\n\n\n               We recommend that the Assistant Secretary for Housing\n\n               1A. Ensure that FHA system owners work closely with application government\n                   technical monitors/government technical representatives to identify and obtain\n\n\n\n6\n The Customer Information Control System is a transaction processing system that runs primarily on IBM\nmainframe systems for online and batch activities and acts as a front-end access to an application (e.g., the Claims\nSubsystem) and to provide online transaction management connectivity for mission-critical applications.\n\n\n                                                          8\n\x0c     the appropriate access and background investigations for their application\n     users.\n\n1B. Initiate a request with Office of Security and Emergency Planning staff to\n    determine whether the FHA contractor employees have had the appropriate\n    background investigations. Follow up with Office of Security and Emergency\n    Planning staff to ensure that background investigations are initiated for FHA\n    applications\xe2\x80\x99 contractor staff if required.\n\n1C. Obtain the listing of Claims Subsystem users with above-read access to the\n    production data files from the Office of the Chief Information Officer (OCIO)\n    and work with OCIO to make the necessary adjustment to their access\n    privileges based on their job functions.\n\n1D. Obtain the current listing of all users with above-read access to FHA\n    application data from OCIO, perform an assessment to determine specifically\n    what access is granted to all FHA developers including both HUD employees\n    and contractors, and update this listing with the assistance of OCIO to ensure\n    that the most restrictive set of rights/privileges or accesses needed by users for\n    the performance of specified tasks are assigned.\n\nWe recommend that the Acting Chief Information Officer\n\n1E. Provide FHA with a current listing of all users with above-read access to FHA\n    application data and remove any developers\xe2\x80\x99 unnecessary access to FHA\n    applications upon FHA\xe2\x80\x99s confirmation notification.\n\n1F. Initiate a request with the Office of Security and Emergency Planning staff to\n    determine whether the IT infrastructure contractor employees with\n    administrative access (such as DB2, Endevor, and PVCS) to FHA applications\n    and the platforms where the applications reside have had appropriate\n    background investigations. Follow up with Office of Security and Emergency\n    Planning staff to ensure that background investigations are initiated for IT\n    infrastructure contractor staff if required.\n\n1G. Require the HUD IT infrastructure contractor to maintain the Customer\n    Information Control System audit log that allows the activities to be traced\n    back for at least one year.\n\n1H. Require the HUD information technology infrastructure contractor to provide\n    a Customer Information Control System user failed logon attempts report and\n    then disseminate pertinent information to the information system security\n    officers for review and monitoring on a periodic basis.\n\n\n\n\n                                   9\n\x0cFinding 2: FHA Did Not Define or Implement Adequate Security\nControl Requirements over Business Partner Development, Processing,\nor Storage of Single-Family Mortgage Data\nFHA did not develop or implement adequate information security controls for its business\npartners and outside entities that remotely access or develop, process, and maintain HUD data for\nthe FHA Connection application. FHA depended on its business partners to generate, process,\nand store FHA mortgage data but had not established information security guidance or\nrequirements. As a federal entity, FHA is required by FISMA to ensure that its data are\nadequately protected from unauthorized access, use, destruction, disclosure, disruption, or\nmodification even when the data are maintained on behalf of the agency. FHA program staff\nwere not fully aware of their responsibility for the information collected, processed, and stored\non their behalf. By not providing adequate security controls and safeguards over data maintained\noutside HUD\xe2\x80\x99s secured physical perimeter, FHA did not comply with HUD regulations or\nfederal guidelines. As a result, data that were critical to FHA\xe2\x80\x99s mission and its ability to operate\nefficiently and effectively were at risk of theft, loss, or destruction.\n\n\n\n Security Controls for Business\n Partners Were Not Developed\n or Defined\n\n\n               FHA did not develop or implement adequate security controls over its business\n               partners and outside entities that remotely access or develop, process, and\n               maintain HUD data outside the agency\xe2\x80\x99s secured physical perimeter. FHA did\n               not consider or assess the risk of exchanging information among business partners\n               and other external entities or develop appropriate security controls. Based on\n               interviews with FHA officials, there was no FHA-specific process that established\n               specific requirements to protect information exchanged and/or that specified\n               particular remedies for failure to protect the information as prescribed.\n\n               We found a lack of management controls over the FHA Connection, an\n               interactive system on the Internet that gives approved business partners and\n               outside entities access to update single-family mortgage and insurance systems.\n               As of April 1, 2008, 59,342 users from 22,425 institutions and branches had\n               signed up to use the FHA Connection, and average volume was between 200,000\n               and 250,000 transactions per day. FHA management did not (1) provide guidance\n               on required security controls such as data retention and encryption or disposal of\n               confidential and personally identifiable information, (2) require a memorandum of\n               understanding with business partners detailing security requirements, or\n               (3) monitor or require quality assurance reviews of systems that provide data to\n               HUD or data collected, processed, and maintained remotely on behalf of HUD.\n\n\n\n                                                10\n\x0c                     FISMA holds federal agencies responsible for providing information security\n                     protections commensurate with the risk and magnitude of the harm resulting from\n                     unauthorized access, use, disclosure, disruption, modification, or destruction of\n                     information collected or maintained by or on their behalf and information systems\n                     used or operated by an agency or by a contractor of an agency or other\n                     organization on behalf of an agency.\n\n                     NIST SP 800-53 7 states that the assurance or confidence that the risk to the\n                     organization\xe2\x80\x99s operations, assets, and individuals is at an acceptable level depends\n                     on the trust that the authorizing official places in the external service provider. In\n                     some cases, the level of trust is based on the amount of direct control the\n                     authorizing official is able to exert on the external service provider with regard to\n                     the employment of appropriate security controls necessary for the protection of\n                     the service and the evidence brought forth as to the effectiveness of those\n                     controls. The level of control is usually established by the terms and conditions\n                     of the contract or service-level agreement with the external service provider and\n                     can range from extensive (e.g., negotiating a contract or agreement that specifies\n                     detailed security control requirements for the provider) to very limited (e.g., using\n                     a contract or service-level agreement).\n\n                     FHA program managers and system owners did not review or require security\n                     controls over FHA\xe2\x80\x99s partners because they were not fully aware of the federal\n                     requirements to do so. They believed that they should not have to provide\n                     guidance, monitor, or require the business partners to implement and maintain\n                     security measures.\n\n                     Further, FHA maintained that there was no way to structurally organize a security\n                     policy for all outside personnel that access its systems. Business partners\n                     completed a yearly quality controls self-assessment as required by FHA;\n                     however, there was no quality assurance requirement for information systems\n                     security controls. FHA did not require or plan to address the lack of security\n                     controls in the quality control process. As a result, FHA did not monitor the\n                     security measures in place at its business partners\xe2\x80\x99 sites and did not require\n                     assurance regarding the information systems controls that were implemented.\n                     Without these assurances, FHA could not fulfill its responsibilities under FISMA\n                     related to providing information security protections commensurate with the risk\n                     and magnitude of the harm resulting from unauthorized access, use, disclosure,\n                     disruption, modification, or destruction of information collected or maintained by\n                     FHA or on its behalf.\n\n\n\n\n7\n    \xe2\x80\x9cRecommended Security Controls for Federal Information Systems,\xe2\x80\x9d dated December 2006.\n\n\n                                                            11\n\x0cConclusion\n\n             FHA did not comply with federal statutes or information security requirements, as\n             it did not develop or implement adequate security controls over its business\n             partners and outside entities that remotely access or develop, process, and\n             maintain HUD data outside the agency\xe2\x80\x99s secured physical perimeter. This\n             condition occurred because FHA program staff believed that they were not\n             responsible for the information collected, processed, and stored on their behalf.\n             Further, FHA management did not provide sufficient guidance on required\n             security controls and adequately monitor business partner use of systems that\n             provide data to HUD or data collected, processed, and maintained remotely on\n             behalf of HUD. As a result, FHA data were at an unmeasured level of risk of\n             theft, loss, or destruction.\n\n             FHA relies heavily on its business partners\xe2\x80\x99 and outside entities\xe2\x80\x99 use of\n             information technology systems and data to carry out its mission and operate\n             efficiently and effectively. Therefore, appropriate security controls and\n             safeguards must be established to minimize the risks associated with business\n             partners and outside entities remotely accessing, developing, processing, and\n             maintaining HUD data.\n\n\nRecommendations\n\n\n\n         We recommend the Assistant Secretary for Housing\n\n         2A. Identify the information security controls needed by FHA to ensure that the\n             data uploaded into the FHA Connection are adequately protected and use a\n             risk-based approach that requires its business partners to design and\n             implement appropriate information security controls in their operation.\n\n         2B. Design and implement guidance, tools, and the communications necessary to\n             ensure that FHA\xe2\x80\x99s business partners are aware of their roles and\n             responsibilities to protect FHA data.\n\n         2C. Ensure that within the annual quality assurance requirements, there is a\n             requirement for an assessment of the business partners\xe2\x80\x99 information security\n             controls that protect FHA data.\n\n         2D. Coordinate the quality assurance plans with business partners to include\n             security measures.\n\n\n\n\n                                             12\n\x0cFinding 3: FHA Did Not Have Assurance That Mandatory Security\nControls Had Been Implemented\nFHA\xe2\x80\x99s Office of Housing did not ensure that mandatory security controls 8 that establish a level\nof \xe2\x80\x9csecurity due diligence\xe2\x80\x9d were implemented, assessed, or monitored. Our review of the\ninformation security self-assessment 9 documents for several major FHA applications 10 disclosed\n(1) missing or improperly assigned mandatory security controls, (2) common security controls\nthat were not clearly identified, and (3) a lack of appropriate security awareness and specialized\ntraining. These deficiencies occurred because the responsibility for the assessment and\nmonitoring of common controls was not clearly assigned, HUD and federal regulations were\nmisunderstood, and some FHA personnel involved in completing security self-assessments\nlacked the appropriate role-based training. As a result, HUD and FHA could not ensure that\ntheir information systems and data were adequately secured and protected. Lack of\nunderstanding the status of security programs and controls prohibits HUD and FHA management\nfrom making informed decisions and investments to mitigate risks that can negatively impact\ntheir ability to meet mission goals.\n\n\n\n    Mandatory Security Controls\n    Were Consistently Missing\n    from System Security\n    Documentation\n\n                  During the Office of Housing\xe2\x80\x99s self-assessments completed in September 2007,\n                  not all required security controls were assessed. The mandatory security controls\n                  were not assessed because they were not a part of the FHA-prepared security\n                  control listing or due to the improper impact ratings for the applications. 11 This\n                  omission resulted in those specific security controls not being included in the\n                  FHA major applications\xe2\x80\x99 security documentation and monitoring processes.\n                  After the self-assessment process, FHA, independent from the Office of Inspector\n8\n  Controls are classified as common controls or application-specific controls. Security controls designated by the\norganization as common controls are in most cases managed by an organizational entity other than the information\nsystem owner. Application controls or organization security controls containing organization-defined parameters\n(i.e., assignment and/or selection operations) give organizations the flexibility to define selected portions of the\ncontrols to support specific organizational requirements or objectives.\n9\n  The self-assessment questionnaire, based on NIST SP 800-53 controls for information systems, provides the\nagency baseline of mandatory controls.\n10\n   Single Family Insurance System - Claims Subsystem , Single Family Acquired Asset Management System, Single\nFamily Mortgage Notes, Home Equity Conversion Mortgages, Computerized Homes Underwriting Management,\nFHA Connection, and FHA Subsidiary Ledger.\n11\n   As required by FISMA, the US Department of Commerce\xe2\x80\x99s National Institute of Standards and Technology\npromulgated the Federal Information Processing Standard (FIPS) 199 which establishes security categories for both\ninformation and information systems. The security categories are based on the potential impact on an organization\nshould certain events occur which jeopardize the information and information systems needed by the organization to\naccomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions,\nand protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in\nassessing the risk to an organization.\n\n\n                                                            13\n\x0c                 General and using contractor support, identified 23 NIST SP 800-53 security\n                 controls as missing from FHA\xe2\x80\x99s baseline 12 of security controls. The information\n                 security controls missing from the entire selected FHA major application security\n                 program included\n\n                 \xe2\x80\xa2   Security-related activity planning;\n                 \xe2\x80\xa2   Acquisition;\n                 \xe2\x80\xa2   Security certification;\n                 \xe2\x80\xa2   Fire protection;\n                 \xe2\x80\xa2   Information system backup;\n                 \xe2\x80\xa2   Information system component inventory (low and moderate baselines);\n                 \xe2\x80\xa2   Flaw remediation;\n                 \xe2\x80\xa2   Information system monitoring tool and techniques;\n                 \xe2\x80\xa2   Media transport (moderate and high baselines);\n                 \xe2\x80\xa2   Remote access;\n                 \xe2\x80\xa2   Use of external information system;\n                 \xe2\x80\xa2   Auditable events;\n                 \xe2\x80\xa2   Audit monitoring, analysis, and reporting;\n                 \xe2\x80\xa2   Time stamps;\n                 \xe2\x80\xa2   Boundary protection (including control enhancements 3, 4, and 5);\n                 \xe2\x80\xa2   Secure name/resolution service (authoritative service);\n                 \xe2\x80\xa2   Architecture and provisioning for name/address resolution; and\n                 \xe2\x80\xa2   Session authenticity.\n\n                 There were also five security controls that were missing due to the improper\n                 impact rating for the application. These lacking security controls applied to those\n                 sections that were improperly assigned low, moderate, and high impact.\n\n                 \xe2\x80\xa2   Contingency planning control CP-6.2 was not applicable to a moderate\n                     system.\n                 \xe2\x80\xa2   Remote maintenance was missing (from a moderate system).\n                 \xe2\x80\xa2   Media labeling was not applicable to a moderate system.\n                 \xe2\x80\xa2   Wireless access restriction was missing (from a moderate system).\n                 \xe2\x80\xa2   Resource priority was not applicable to a moderate system.\n\n\n\n\n12\n  Baseline controls are the minimum security controls recommended for an information system based on the\nsystem\xe2\x80\x99s security categorization in accordance with FIPS 199.\n\n\n\n\n                                                      14\n\x0cCommon Security Controls\nWere Not Clearly Identified\n\n\n\n            Security controls designated by the organization as \xe2\x80\x9ccommon controls\xe2\x80\x9d (i.e.,\n            controls that are common to FHA and other HUD organizations) are managed by\n            the Office of the Chief Information Officer (OCIO) rather than the information\n            system owner. Organizational decisions on which security controls are viewed as\n            common controls may greatly affect the responsibilities of individual information\n            system owners with regard to the implementation of controls in a particular\n            baseline. Every control in a baseline must be fully addressed by either the\n            organization or the information system owner.\n\n            OCIO\xe2\x80\x99s information security self-assessment template is provided to the\n            information systems security officer and system owners as guidance for the\n            assessment of the minimum baseline security controls as outlined in NIST 800-53.\n            The template did not clearly identify which of the template\xe2\x80\x99s controls was HUD\xe2\x80\x99s\n            responsibility as a common control. This condition adversely impacted FHA\xe2\x80\x99s\n            ability to identify the controls it was responsible for on an application level.\n            Consequently, FHA created its own set of information security controls\n            determining which controls were its responsibility and which controls should be\n            the responsibility of OCIO. As a result, mandatory controls were not assessed or\n            monitored.\n\nFHA Staff Required Role-Based\nSecurity Awareness and\nTraining\n\n            The Office of Housing was taking steps to improve its information technology\n            security awareness and documentation; however, its lack of understanding of\n            mandatory security controls for which it is responsible resulted in a deficient IT\n            security program. Complete self-assessment information and guidance were\n            provided on the HUD internal Web site; however, the proper tools were not used\n            to ensure that all elements of the annual security reviews were completed and\n            implemented. The noted deficiencies were primarily due to a misunderstanding\n            of the regulations. The lack of FHA staff training contributed to these missing\n            elements. Not all staff members who played a pertinent role in completing the\n            security assessment documentation received the same training.\n\n            Federal regulations require that individuals with security responsibility have the\n            required training to meet their job functions. NIST SP 800-16, \xe2\x80\x9cInformation\n            Technology Security Training Requirements: A Role and Performance Model,\xe2\x80\x9d\n            section 4.1, states, \xe2\x80\x9c...training and education are to be provided selectively, based\n\n\n\n                                              15\n\x0c             on individual responsibilities and needs. Specifically, training is to be provided to\n             individuals based on their particular job functions. Education is intended for\n             designated IT security specialists in addition to role based training.\xe2\x80\x9d\n\n\nConclusion\n\n\n             FHA did not comply with HUD and federal regulations with regard to annual\n             security assessments and had no assurance that all mandatory security controls\n             had been implemented. As a result, HUD and FHA could not properly ensure\n             that their information systems and data were adequately secured and protected\n             from threats. The deficiencies identified above occurred because (1)\n             responsibility for the assessment and monitoring of common controls was not\n             clearly assigned, (2) HUD and federal regulations were misunderstood, and (3) all\n             FHA personnel involved in completing security self-assessments did not receive\n             the appropriate role-based training.\n\n             It is necessary that officials understand the current status of security programs and\n             controls to make informed judgments and investments that appropriately mitigate\n             risks that could negatively impact their mission goals. FHA needs to ensure that\n             all elements are fully implemented into its security documents to prevent and plan\n             for possible situations and risks associated with the data HUD maintains.\n\n\nRecommendations\n\n\n\n         We recommend that the Assistant Secretary for Housing\n\n         3A. Ensure that a training development plan is fully implemented so that staff may\n             complete their tasks based on their specific positions and be fully aware of\n             their roles and responsibilities as they relate to the management of the\n             systems.\n\n         3B. Monitor and ensure that the missing security controls are implemented in all\n             future security self-assessments, continuous monitoring, activities, and the\n             fiscal year 2008 certification and accreditation process.\n\n         3C. Include missing security controls in appropriate system security plans used by\n             the Office of Housing.\n\n\n\n\n                                              16\n\x0cWe recommend that the Acting Chief Information Officer\n\n3D. Revise the self-assessment template to note which of the controls listed are\n    considered to be common controls and as a result, primarily the responsibility\n    of OCIO as the general support system owner.\n\n\n\n\n                                 17\n\x0cFinding 4: HUD OCIO Did Not Follow Its Own Policy on Performing\nSecurity Impact Assessments When Significant Changes Were Made\nHUD\xe2\x80\x99s Office of the Chief Information Officer (OCIO) made a significant change to a general\nsupport system 13 that supports FHA\xe2\x80\x99s core financial system, the upgrading of an operating\nsystem, without performing a security impact assessment as required by federal and HUD\ninformation system policy. This situation occurred because HUD\xe2\x80\x99s contractor did not consider\nthe change to be significant and advised HUD that a security impact assessment was not needed.\nTo determine whether there was a security impact to the general support system, we performed a\nseries of compliance checks 14 and found a number of improper configurations, mostly related to\npassword issues, and policy violations on associated Windows servers. These vulnerabilities\nshould have been reported and incorporated into HUD\xe2\x80\x99s monitoring program until corrected.\nWithout conducting a security impact assessment, OCIO could not assure itself or HUD\xe2\x80\x99s\ncomponents that it had adequately protected HUD\xe2\x80\x99s systems.\n\n\n     HUD Did Not Follow Its Own\n     Certification and Accreditation\n     Policy\n\n                 HUD did not comply with the federal information security framework related to\n                 the continuous monitoring phase of the certification and accreditation process.\n                 Specifically, HUD did not review significant changes made to a general support\n                 system. A significant change imposes a change in the security risks faced and\n                 needs to be analyzed by performing a security impact assessment. Our review\n                 found that HUD did not complete a security impact assessment of the general\n                 support system that supports FHA\xe2\x80\x99s core financial system, FHA Subsidiary\n                 Ledger, before upgrading the operating system from Solaris version 8 to version\n                 10. Federal guidance specifically identifies operating system changes as\n                 significant.\n\n                 OCIO was not able to provide planning documentation to justify its reasoning\n                 prepared in advance of the conversion for not conducting a security impact\n                 assessment. OCIO staff stated that they relied on the contractor responsible for\n                 HUD\xe2\x80\x99s information technology infrastructure and did not believe a security\n                 impact assessment or a new certification and accreditation were necessary. They\n                 added that there were only a few systems converted to the new updated software\n\n\n13\n   An interconnected set of information resources under the same management control that shares common\nfunctionality. It includes hardware, software, information, data, applications, communication, and people.\n14\n   Unlike scans, which usually involve a more comprehensive vulnerability assessment, a compliance check is a\nmanual check of configurations on the server against configuration guidelines provided by NIST and the Defense\nInformation Systems Agency security technical implementation guidelines.\n\n\n                                                       18\n\x0c                 and that a certification and accreditation would take place sometime in fiscal year\n                 2008.\n\n                 The federal guidance 15 that governs certification and accreditation states that\n                 when accrediting a federal information system, an agency official accepts the\n                 risks associated with operating the system and the associated implications\n                 regarding agency operations, agency assets, or individuals. Completing a security\n                 accreditation ensures that an information system will be operated with appropriate\n                 management review, that there is ongoing monitoring of security controls, and\n                 that there will be a reaccreditation whenever there is a significant change to the\n                 system or its operational environment. The guidance specifically states that a\n                 change to an operating system is a significant change.\n\n                 A security impact assessment was not performed when completing changes to the\n                 general support system because HUD\xe2\x80\x99s information technology infrastructure\n                 contractor recommended that a security impact assessment was not needed.\n                 OCIO accepted the recommendation from the contractor without documented\n                 evidence identifying reasons why a security impact assessment should not be\n                 completed. After we questioned OCIO, OCIO staff requested additional\n                 information and received a written document from the contractor explaining its\n                 recommendation. However, the statement did not conform to either HUD or\n                 federal policy.\n\n                 FHA\xe2\x80\x99s core financial system was one of the systems residing on the general\n                 support system that migrated from the Solaris 8 operating system to the Solaris 10\n                 operating system, and affected servers processed the financial data that were the\n                 source for FHA\xe2\x80\x99s financial statement reports. The lack of review before the\n                 conversion left this information susceptible to undetected changes.\n\n\n          Improper System\n          Configurations Went\n          Undetected\n\n\n                 OCIO did not perform security assessments or testing on the UNIX servers\n                 impacted by the conversion from Solaris 8 to Solaris 10 or associated Windows\n                 servers to determine whether the new implementation created any new\n                 vulnerabilities. Without testing, there would be no way to determine whether any\n                 additional controls were needed to address the differences between the two\n                 operating systems. We were told that HUD had not prepared standard procedures\n                 for the new features in version 10, which could leave data vulnerable. In addition,\n                 roles and responsibilities associated with these new features had not been\n                 designated.\n\n15\n NIST SP 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems,\xe2\x80\x9d dated\nMay 2004.\n\n\n                                                      19\n\x0c             To determine whether a security impact assessment would have identified\n             security violations or improper configurations, we conducted compliance checks\n             on production UNIX and supporting Windows servers. We did not find any\n             critical security violations; however, we did find a number of improper\n             configurations, which should be addressed. We provided OCIO with the results\n             of the compliance checks.\n\n             The configuration tests that we completed indicated that there were security\n             violations or improper configurations to the systems that had not been addressed,\n             thereby leaving data and information open to risk. Without a proper security\n             assessment, HUD could not ensure that it had adequately protected its systems\n             that process critical information.\n\nConclusion\n\n\n             HUD\xe2\x80\x99s OCIO did not follow its own or federal policy when it made a significant\n             change to a general support system without performing a security impact\n             assessment. This resulted in security violations and improper configurations that\n             had not been addressed, thereby leaving data and information open to risk. This\n             situation occurred because OCIO accepted its information technology contractor\xe2\x80\x99s\n             assertion that a security impact assessment was not needed, although the decision\n             directly contradicted HUD and federal policy. The migration from Solaris 8 to\n             Solaris 10 directly affected servers that housed FHA\xe2\x80\x99s core financial system and\n             financial data that were the source for FHA\xe2\x80\x99s financial reports. The lack of\n             review before the conversion might have left this information susceptible to\n             undetected changes, which could call into question the validity of the FHA\n             financial statements.\n\n\nRecommendations\n\n         We recommend that the Acting Chief Information Officer\n\n         4A. Complete a certification and accreditation of the general support systems that\n             upgraded from the Solaris 8 to the Solaris 10 operating system.\n\n         4B. Provide training to system owners, including the general support systems\n             owners, to ensure an understanding of federal regulations and the HUD\n             handbook with regard to significant changes to their systems.\n\n         4C. Issue a memorandum to its IT infrastructure contractors reminding them of\n             their contractual obligation to fully comply with HUD security policy and\n\n\n\n                                             20\n\x0cobtain a signed acknowledgment and complete, at minimum, a security impact\nassessment of the changes when significant changes are made to general\nsupport systems and obtain in writing from the contractors their assurance that\nthey understand and accept this requirement.\n\n\n\n\n                            21\n\x0c                 SCOPE AND METHODOLOGY\n\nWe performed the audit\n           \xe2\x80\xa2   From June through December 2007,\n           \xe2\x80\xa2   At HUD headquarters in Washington, DC, and\n           \xe2\x80\xa2   In accordance with generally accepted government auditing standards.\n\nWe reviewed information security documents, Office of Housing major applications, and\nthe general support systems\xe2\x80\x99 compliance with federal and HUD information security\nrequirements. We focused on organizational structure and security documents that were\ncreated in fiscal year 2007.\n\nWe used a selective sampling method to evaluate the compliance of the seven selected\nOffice of Housing major applications from a universe of 40 major FHA applications\nreported in HUD\xe2\x80\x99s system inventory list as of January 19, 2007. The seven major\napplications were selected because they were managed by the Office of Housing, supported\nFHA program areas, and were categorized as major applications.\n\nTo accomplish our objectives, we reviewed policies and procedures, interviewed FHA\nsystem owners for each application, and obtained and analyzed supporting documentation.\nWe also interviewed staff from OCIO, the Office of Integration and Efficiency, and the\nOffice of Housing\xe2\x80\x99s Office of Finance and Budget, Office of Systems and Technology, to\nbetter understand the structure and organization upon which information security was based\nin the Office of Housing. These interviews were conducted to determine roles and\nresponsibilities of the system owners from their perspectives and compare them to what is\nstated in HUD policy. We also conducted compliance checks on production UNIX and\nsupporting Windows servers where major FHA applications reside to determine whether a\nsecurity impact assessment would have identified security violations or improper\nconfigurations.\n\n\n\n\n                                        22\n\x0c                             INTERNAL CONTROLS\n\nInternal control is an integral component of an organization\xe2\x80\x99s management that provides\nreasonable assurance that the following objectives are being achieved:\n\n   \xe2\x80\xa2   Effectiveness and efficiency of operations,\n   \xe2\x80\xa2   Reliability of financial reporting, and\n   \xe2\x80\xa2   Compliance with applicable laws and regulations.\n\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet its\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance.\n\n\n\n Relevant Internal Controls\n              We determined the following internal controls were relevant to our audit objectives:\n\n              \xe2\x80\xa2   Appropriate level of access to data and systems,\n              \xe2\x80\xa2   Compliance with personnel security requirements,\n              \xe2\x80\xa2   Design and implementation of information security baseline controls,\n              \xe2\x80\xa2   Compliance with certification and accreditation, and\n              \xe2\x80\xa2   Compliance with information security assessments.\n\n              We assessed the relevant controls identified above.\n\n              A significant weakness exists if management controls do not provide reasonable\n              assurance that the process for planning, organizing, directing, and controlling\n              program operations will meet the organization\xe2\x80\x99s objectives.\n\n\n Significant Weaknesses\n\n\n              Based on our review, we believe the following item is a significant weakness:\n\n              \xe2\x80\xa2   FHA and HUD\xe2\x80\x99s OCIO had not fully integrated the federal information\n                  security program framework with their organizational processes to ensure that\n                  security documents, continuous monitoring, personnel security, and\n                  appropriate access to systems and data were adequate (findings 1, 2, 3, and 4).\n\n\n\n\n                                               23\n\x0c                   FOLLOWUP ON PRIOR AUDITS\n\n\nReview of FHA Controls over\nIts Information Technology\nResources\nAudit Report: 2008-DP-0002\nOctober 31, 2007\n\n\n           The following recommendations from our prior audit remain open:\n\n           1A. Design and implement an FHA information security program consistent\n               with HUD and federal requirements to include\n                i. Designating a senior FHA staff member to lead information technology\n                   and security functions within FHA. The FHA security function would\n                   be subordinate to HUD\xe2\x80\x99s for external reporting and department-wide\n                   information security issues but would be able to focus and enhance HUD\n                   requirements for FHA-specific needs and risks.\n                ii. Ensuring that a compliant information security risk-based framework is\n                    implemented for all FHA applications.\n\n           1B. Direct application system owners to fully assume the roles and\n               responsibilities of system owners in accordance with HUD IT Security\n               Policy - Handbook 2400.25, REV-1.\n\n           1C. Mandate a role-based training program for FHA program staff with\n               significant information security responsibilities.\n\n           2A. Structure the management authorities relating to information security\n               functions so that they provide the oversight necessary to ensure that\n               information security receives the consideration needed when allocating\n               resources.\n\n           2B. Direct application system owners to determine the amount and type of\n               resources needed to ensure adequate security for their systems.\n\n           2C. Develop an FHA-wide plan to ensure that the dollar amount and resources\n               are listed in budget requests and that resources are adequate to complete\n               security for their systems.\n\n           2D. Revise the HUD standard business impact analysis to include all necessary\n               elements outlined in NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for\n               Information Technology Systems,\xe2\x80\x9d so that the analysis supports the\n               preparation of the continuity of operations and business resumption plans.\n\n\n                                          24\n\x0c2E. Provide additional guidance and training to application system owners\n    regarding completion of their application\xe2\x80\x99s business impact analysis.\n\n3A. Complete the design and implementation of an information security program\n    to include\n       \xe2\x80\xa2   Accurate and fully agreed-upon descriptions of program office\n           application system owner roles and responsibilities.\n       \xe2\x80\xa2   Documented processes, procedures, or agreements related to the\n           implementation of information security controls with FHA for each\n           general support system on which its applications reside.\n       \xe2\x80\xa2   Documenting, in HUD\xe2\x80\x99s information technology policy, the use of the\n           Information System Security Forum as a user representative forum for\n           each general support system. The forum could be used to update the\n           security officer on the status of information security policy on the\n           general support systems on which its applications reside.\n\n3B. Develop and provide role-based training to FHA staff with information\n    security roles and responsibilities, including but not limited to\n       \xe2\x80\xa2   Application system owners,\n       \xe2\x80\xa2   Information system security officers,\n       \xe2\x80\xa2   Project managers, and\n       \xe2\x80\xa2   Authorizing officials and other staff with management responsibilities\n           for the certification and accreditation process.\n\n3C. Require FHA authorizing officials, information system owners, and\n    information system security officers to obtain the training necessary to\n    assume their information security roles and responsibilities.\n\n\n\n\n                                25\n\x0c                        APPENDIXES\n\nAppendix A\n\n        AUDITEE COMMENTS AND OIG\xe2\x80\x99S EVALUATION\n\n\nRef to OIG Evaluation      Auditee Comments\n\n\n\n\n                            26\n\x0cComment 1\n\n\n\n\n            27\n\x0c28\n\x0cComment 2\n\n\n\n\nComment 3\n\n\n\n\n            29\n\x0c30\n\x0cComment 4\n\n\n\n\nComment 5\n\n\n\n\n            31\n\x0c32\n\x0cComment 6\n\n\n\n\n            33\n\x0c34\n\x0c                         OIG Evaluation of Auditee Comments\n\nComment 1   OIG agrees with FHA\xe2\x80\x99s implemented corrective actions as stated. OIG also\n            requests that supporting documentation and the completion dates be provided in\n            order to confirm complete implementation of this recommendation. Once\n            confirmed, no further correction action is necessary from FHA and this\n            recommendation can be closed.\n\nComment 2   OIG agrees with FHA\xe2\x80\x99s implemented corrective actions. OIG also requests that\n            supporting documentation and the completion dates be provided in order to\n            confirm complete implementation of this recommendation. Once confirmed, no\n            further correction action is necessary from FHA and this recommendation can be\n            closed.\n\nComment 3   OIG agrees with FHA\xe2\x80\x99s implemented corrective actions as stated. OIG also\n            requests that supporting documentation and the completion dates be provided in\n            order to confirm complete implementation of this recommendation. Once\n            confirmed, no further correction action is necessary from FHA and this\n            recommendation can be closed.\n\nComment 4   OIG has revised the recommendation to reflect that the action OCIO is to carry\n            out is contingent \xe2\x80\x9cupon FHA\xe2\x80\x99s confirmation notification.\xe2\x80\x9d\n\nComment 5   OIG has made minor revisions to this recommendation based on discussions with\n            OCIO.\n\nComment 6   OIG reevaluated the recommendation based on OCIO\xe2\x80\x99s comments and has\n            revised the recommendation accordingly.\n\n\n\n\n                                            35\n\x0c'